CVE-2024-48964: 
JavaScript vulnerability analysis and mitigation

The Snyk CLI versions before 1.1294.0 contain a Code Injection vulnerability when scanning untrusted Gradle projects. This vulnerability (CVE-2024-48964) was discovered and disclosed on October 23, 2024. The vulnerability can be triggered when running Snyk test inside an untrusted project due to improper handling of the current working directory name (NVD).

The vulnerability has received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Additionally, it has a CVSS v4.0 score of 7.5 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code) and CWE-78 (Improper Neutralization of Special Elements used in an OS Command) (NVD).

If successfully exploited, this vulnerability could allow attackers to execute arbitrary code through code injection when the Snyk CLI is used to scan untrusted Gradle projects. The vulnerability affects the confidentiality, integrity, and availability of the system with high severity ratings across all three aspects (NVD).

The primary mitigation is to upgrade to Snyk CLI version 1.1294.0 or later. Snyk recommends only scanning trusted projects. A patch has been released and is available through the official update channels (Snyk Patch).